Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise
By default, Kubernetes stores logs from pods in the local disk on the nodes. These logs are ephemeral, because the information is lost when the pod is deleted. You can keep the pods in the cluster instead of deleting them, to keep access to the logs. However, Kubernetes garbage collectors delete the pods when such disk space is needed, and access to the logs is lost. Kubernetes also removes the logs when a node is restarted, for example after applying an update.
Administrators and developers need access to the logs to debug the applications in the event of issues, to analyze application performance, or to review object state changes. A one-week retention period is typically enough for users and administrators to review these logs.
OpenShift Logging uses Grafana Loki as the internal log store to aggregate logs from the entire cluster into a central place and to provide access control to logs. Loki replaces the deprecated Elasticsearch log store from earlier versions of OpenShift Logging. OpenShift Logging can also use other external log stores, such as Splunk, Amazon CloudWatch, or Google Cloud Logging.
Loki is a horizontally scalable, highly available, and multitenant log aggregation system.
Loki indexes only a few fixed labels during ingestion, and then compresses and stores the log data in chunks in object stores.
The Loki operator supports object stores such as AWS S3, Azure, and OpenShift Data Foundation.
The Loki operator includes the LokiStack CR to manage the Loki deployment.
The steps for using Loki as the log store for OpenShift Logging are as follows:
Install the Loki operator.
Configure the Loki object storage.
Create a
LokiStackCR with the object storage credentials.Configure the
ClusterLoggingCR from OpenShift Logging to use Loki as the log store.
OpenShift Logging does not automatically deploy Loki. You must deploy Loki by installing the Loki operator from OperatorHub or by using the CLI. See the references section for instructions.
The Loki operator creates and manages the components of the log store.
Storing logs for your cluster might require significant disk space. Because the required disk space depends on the size of your cluster and application workloads, you might need to plan your storage solution with application developers.
Note
This section focuses only on how to use ODF as the Loki object storage.
For more details about ODF, refer to the DO370: Enterprise Kubernetes Storage with Red Hat OpenShift Data Foundation training course.
For more information about how to configure other S3-compatible object stores, refer to https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/logging/index#logging-loki-storage_installing-log-storage
Similar to a persistent volume claim, you can use an object bucket claim to request an S3-compatible bucket. ODF creates a secret and a configuration map with the same name as the object bucket claim; between them, they provide the credentials and information to access the bucket.
The following excerpt is an example of an object bucket claim definition in the openshift-logging namespace:
apiVersion: objectbucket.io/v1alpha1 kind: ObjectBucketClaim metadata: name:loki-bucket-odfnamespace: openshift-logging spec: generateBucketName:loki-bucket-odfstorageClassName: openshift-storage.noobaa.io
ODF creates a configuration map with the bucket information in the openshift-logging namespace.
You can retrieve one part of the credentials for the bucket from the configuration map as follows:
[user@host ~]$oc get configmap/apiVersion: v1 data: BUCKET_HOST: s3.openshift-storage.svc BUCKET_NAME:loki-bucket-odf-o yamlloki-bucket-odf-69d9...ab91BUCKET_PORT: "443" BUCKET_REGION: "" BUCKET_SUBREGION: "" kind: ConfigMap ...output omitted...
You can retrieve the other part of the bucket credentials from the secret as follows:
[user@host ~]$oc extract --to=- secret/loki-bucket-odf -n openshift-logging# AWS_ACCESS_KEY_IDo0sOY8oaZtPfP18DRjSa# AWS_SECRET_ACCESS_KEYz1QtDH37lUvLnkjpE3E4aS8yQI56CLPozGJOt31e
After you retrieve the credentials, create a secret that contains those credentials in the openshift-logging namespace for Loki to use the credentials:
[user@host ~]$ oc create secret generic logging-loki-odf \
-n openshift-logging \
--from-literal=access_key_id=${ACCESS_KEY_ID} \
--from-literal=access_key_secret=${SECRET_ACCESS_KEY} \
--from-literal=bucketnames=${BUCKET_NAME} \
--from-literal=endpoint=https://${BUCKET_HOST}:${BUCKET_PORT}After installing the Loki operator and creating the object bucket, you create and configure the LokiStack instance with the bucket credentials.
The following example is a LokiStack resource that uses the logging-loki-odf secret that contains the bucket credentials:
apiVersion: loki.grafana.com/v1 kind: LokiStack metadata: name:logging-lokinamespace: openshift-logging spec: limits:global: retention:
days: 20 stream:
- days: 4 priority: 1 selector: '{kubernetes_namespace_name=~"test.+"}' size: 1x.demo
storage: secret: name:
logging-loki-odftype: s3
tls: caName: openshift-service-ca.crt
storageClassName:
ocs-external-storagecluster-ceph-rbdtenants: mode: openshift-logging
| Defines the limits that Loki applies to the log streams. See the references section for more information about the limit types for log streams. |
| This limit defines 20 days for log retention. |
| The retention policy that is based on log streams. Stream-based retention policies are useful if lowering the retention period for a log stream. For example, you might switch to debug mode temporarily in a project to troubleshoot a critical issue. However, debug logs can quickly fill your storage if the retention period is long. Then, you reduce the retention period for that project for a few days. The selector for the stream-based retention policy is specified in the LogQL query language, which is explained later in this section. |
| The size of the |
| The name for the secret that contains the bucket credentials. |
| The corresponding storage type. |
| Loki must configure the Certificate Authority (CA) for the object storage endpoint if the object storage endpoint certificate is not trusted.
For ODF, you can use the OpenShift service CA in the |
| The name of a storage class for temporary storage.
You can list the storage classes for your cluster by using the |
Note
For more information about configuration options for the LokiStack instance, refer to https://loki-operator.dev/docs/api.md/#loki-grafana-com-v1-LokiStack
For more information about the Loki deployment size, refer to https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/logging/index#loki-deployment-sizing_installing-log-storage
For more information about the secret type values, refer to https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/logging/index#logging-loki-storage_installing-log-storage
After you create the LokiStack instance, the Loki operator starts scheduling pods for components.
You can verify the installation by listing the pods in the openshift-logging project and verifying that the Loki pods are running.
The OpenShift Logging ClusterLogging CR configures and manages deploying the OpenShift Logging components.
To configure OpenShift Logging to use Loki as the log store, you must create a cluster logging resource in the openshift-logging namespace and set lokistack as the log store type.
Then, OpenShift Logging uses Loki to store the infrastructure and application logs.
The following excerpt shows a minimum configuration for OpenShift Logging to enable Loki as the log store:
apiVersion: logging.openshift.io/v1
kind: ClusterLogging
metadata:
name: instance
namespace: openshift-logging
spec:
managementState: Managed
logStore:
type: lokistack
lokistack:
name: logging-loki
collection:
type: vector
| The log store type. |
| The name for the internal |
After you create the ClusterLogging instance, the OpenShift Logging operator starts scheduling pods for components.
You can verify the installation by listing the pods in the openshift-logging project and verifying that the collector pods are running.
By default, the OpenShift Logging operator includes logs for the infrastructure and the application. However, the Logging operator does not include audit logs, because these logs might contain sensitive security details.
To include audit logs in the log store, you must create a ClusterLogForwarder CR to configure the log collector to collect them.
The following excerpt shows a minimum configuration to configure the ClusterLogForwarder CR to forward the audit logs together with the infrastructure and application logs to the internal Loki instance:
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
name: instance
namespace: openshift-logging
spec:
pipelines:
- name: all-to-default
inputRefs:
- infrastructure
- application
- audit
outputRefs:
- default
| The type of logs to collect, which include infrastructure, audit, and application logs. |
| The destination for the logs, with the internal Loki instance being the default output. |
OpenShift Logging provides a native OpenShift Console plug-in to view, search, and query logs in the internal log store.
To use the OpenShift web console for logging visualization, first enable the OpenShift Logging console plug-in. You can use the → menu, by selecting the Red Hat OpenShift Logging operator, and ensuring that the console plug-in is enabled as in the following image:
Then, create a cluster logging resource in the openshift-logging namespace and set ocp-console as the visualization type.
The following excerpt shows a minimum configuration for OpenShift Logging to enable the OpenShift web console for visualization:
apiVersion: logging.openshift.io/v1 kind: ClusterLogging metadata: name: instance namespace: openshift-logging spec: ...output omitted...visualization:type: ocp-console
After you enable the web console for visualization, you can view your logs in the → menu. The following image shows the menu and the filters that you can apply to your logs by using the web console:
| Time range for the logs. |
| Filter the logs by content, namespace, pod, or container. |
| Log severity.
Possible values are |
| Log type.
Possible values are |
| The log query in LogQL query language. You can show this field by clicking . |
Loki organizes logs into streams that are called chunks. A chunk is a sequence of log entries that use the same set of labels. Labels are key-value pairs that help identify and filter log entries. Labels can include information such as the application name, environment, severity, or any other relevant metadata. Loki uses LogQL as the query language for filtering and searching logs with labels and other criteria.
By using LogQL in the OpenShift web console, you can extract and filter specific information from the logs.
A LogQL query consists of the following parameters:
The log stream selector, which accepts the following operators:
=equals,!=not equals,=~regex pattern matches, and!~regex pattern does not match.A filter expression, which accepts the following operators:
|=equals,!=not equals,|~regex pattern matches, and!~regex pattern does not match.
When using LogQL in OpenShift Logging, you must always use at least the log_type log stream selector for the log type.
For example, the following LogQL query shows the infrastructure logs:
log_type="infrastructure" | json
Adding the | json string to your query extracts all JSON properties as labels for ease of viewing.
After you type the LogQL query, click to apply it to your logs.
By using LogQL you can filter your logs with more advanced expressions.
For example, the following LogQL query filters the audit logs only from audit.log files in any directory:
log_type="audit" | json | file=~".*audit.log"
You can use multiple log stream selectors and filter expressions to increase filter granularity.
The following example shows a LogQL query for the audit logs that contain the error string but not the warning string, and that return a 403 or 503 status.
log_type="audit" | json |= "error" != "warning" |~ "status [45]03"
Note
For more information about querying Loki by using the LogQL query language, refer to https://grafana.com/docs/loki/latest/logql/
Vector adds OpenShift metadata to pod logs to provide fields for querying and filtering. You can use these fields in your LogQL queries for more precise filtering.
Some fields that you can use in your queries include the following strings:
hostname: The hostname of the OpenShift node for the pod that generates the log.kubernetes_container_name: The name of the container that generates the log.kubernetes_namespace_name: The name of the project that contains the pod that generates the log.kubernetes_pod_name: The name of the pod that generates the log.level: The log level.message: The log message.
By default, the OpenShift Logging operator grants only administrator users access to the logs. Thus, regular users cannot access the logs. As an administrator, you can configure access to the logs for users and groups by using RBAC rules.
The OpenShift Logging operator provides the following cluster roles to simplify RBAC rules:
cluster-logging-application-view: Grants read permission to application logs.cluster-logging-infrastructure-view: Grants read permission to infrastructure logs.cluster-logging-audit-view: Grants read permission to audit logs.
References
For more information about logging on OpenShift, refer to the About Logging section in the Red Hat OpenShift Container Platform 4.14 Logging documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/logging/index#cluster-logging
For more information about installing the Loki operator, refer to the Installing Log Storage section in the Red Hat OpenShift Container Platform 4.14 Logging documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/logging/index#installing-log-storage
For more information about Loki limits for log streams, refer to the LimitsSpec section in the Loki Operator API documentation at https://loki-operator.dev/docs/api.md/#loki-grafana-com-v1-LimitsSpec
